[Bug 3478] New: Default "kill" action of seccomp sandbox is fragile

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Oct 2 05:54:27 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3478

            Bug ID: 3478
           Summary: Default "kill" action of seccomp sandbox is fragile
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: All
               URL: https://bugs.debian.org/991936
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Created attachment 3615
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3615&action=edit
Change seccomp sandbox default action to ENOSYS

>From time to time, glibc changes its syscall wrappers to make use of
new Linux kernel facilities.  The strategy it uses for this is often to
try more recently-introduced syscalls, but fall back to older ones if
it gets ENOSYS, allowing it to cope gracefully with running on older
kernel versions.

Unlike (as I understand it) OpenBSD's pledge(2), sandboxing using
Linux's seccomp inherently violates the abstraction layer of C library
calls to at least some extent, forcing programs that use it to keep
track of changes to the C library.  While OpenSSH has been doing a
reasonable job at keeping up with this, it's fragile and typically
reactive; I've had to update OpenSSH in Debian stable releases in the
past to keep up with new kernels, or sometimes edge cases on less
widely-used architectures.  (In the linked bug, Julian also points out
that it can cause issues when running older userspace versions in
containers or similar on top of newer host kernels, as you might expect
from this class of problem.)  I would like sshd to be less fragile
here.

The attached patch is one possible suggestion for making this less of a
problem in future.  It passes the regression tests here, but is
otherwise definitely in the nature of an RFC.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list